Ransomware gang Hunters International today announced it is shutting down.
In the roughly two years that Hunters International was active, Comparitech researchers have logged 55 confirmed ransomware attacks claimed by the group, plus 199 unconfirmed claims that were never publicly acknowledged by the attacked companies. In total, those confirmed attacks compromised 3.25 million records.
Here’s a breakdown of confirmed Hunters International attacks by sector:
- 55 attacks on businesses
- 2 attacks on schools and universities
- 16 attacks on government entities
- 19 attacks on hospitals, clinics, and other direct care providers
Hunters’ attacks on hospitals and clinics accounted for the majority of compromised personal records: 2.9 million.
Of the 55 confirmed attacks on businesses, Hunters targeted manufacturers the most. The group launched 12 confirmed attacks on manufacturers. Hunters targeted a wide array of businesses that span service (4), construction (4), finance (6), technology (6), legal (2), food and beverage (3), retail (2), healthcare (5), and utilities (3).
Hunters International ransom demands
Hunters doesn’t normally reveal its ransom demands to the public, nor do the organizations that it targets. Only two companies have disclosed ransom demands:
- Hoya Corporation in Japan notified 6,500 people of a data breach in March 2024. Hunters demanded $10 million.
- Azienda USL di Modena in Italy says it refused to pay a $3 million ransom demanded by Hunters in November 2023
Biggest breaches claimed by Hunters International
Some of Hunters biggest attack claims in the US by number of records compromised include:
- Fred Hutchinson Cancer Center notified 1,840,927 people of a November 2023 data breach. In addition to extorting the Center, Hunters contacted patients and demanded $50 in ransom to delete their data
- Omni Family Health notified 468,344 people of an August 2024 data breach
- Arisa Health notified 375,436 people of a March 2024 data breach
- Bojangles Restaurants notified 165,106 people of a February 2024 data breach
- Northeast Rehabilitation Hospital Network notified 136,724 people of a May 2024 data breach
We’ve covered several more individual Hunters attack claims, including those on the City of St. Cloud, Florida; Therapeutic Health Services in Washington; and Hanon Systems in Korea.
World Leaks: the new Hunters International spin off
Threat intelligence firm Group-IB in April 2025 said Hunters International was in the process of rebranding as World Leaks, a new extortion operation that steals data but doesn’t use encryption.
World Leaks has so far claimed responsibility for 33 attacks on targets that include Chain IQ (Switzerland) and Freedom Healthcare in Colorado.
Hunters says it will offer free decryption software to companies that its ransomware infected but that have not paid ransoms yet.
“After careful consideration and in light of recent developments, we have decided to close the Hunters International Project. This decision was not maid lightly, and we recognize the impact it has on the organizations we have interacted with,” says the announcement posted on Hunters’ website. “As a gesture of goodwill and to assist those affected by our previous activities, we are offering free decryption software to all companies that have been impacted by our ransomware. our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms.
Hunters International was one of the most prolific ransomware gangs of the past few years. Comparitech researchers have been monitoring the group first emerged around October 2023. Experts say Hunters is a spin-off of an earlier ransomware group called Hive.
Hunters employed double extortion attacks in which it would both steal data and lock down computer systems. Infected organizations would then have to pay a ransom or face extended downtime, permanent data loss, and the release of stolen data.
